Do you have a test-case that reproduces the problem that we could look at? You shouldn't really need to work with PolicyEnforcer itself. To answer your question though, yes PolicyEnforcer needs to know whether it's the initiator or not - there is a "boolean initiator" in the constructor.
Colm. On Wed, Aug 7, 2019 at 5:48 PM Erik Lund Jensen <[email protected]> wrote: > Hi > > I have upgraded an old ws-security cxf client application to Java 11. It > now uses StAX and builds a policy and sets the > PolicyConstants.POLICY_OVERRIDE at the client's requestContext. > > It almost works, however, when getting to processing the response from the > server then the PolicyEnforcer throws exception with no message (null). > I ran a modified version of the PolicyEnforcer, which did not throw > validation exception (inspired by issue WSS-486 with the modified > if-statements in PolicyEnforcer). > The result was that the PolicyVerificationInInterceptor then listed all > the policy alternatives that could not be satisfied: > > Caused by: org.apache.cxf.ws.policy.PolicyException: These policy > alternatives can not be satisfied: > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}WssX509V3Token10 > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RequireThumbprintReference > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TripleDes > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Lax > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}OnlySignEntireHeadersAndBody > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignBeforeEncrypting > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts > at > org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179) > > If I remove the PolicyVerificationInInterceptor from the cxf chain then > the message is decrypted and everything looks fine. > Could it be, that the PolicyEnforcer needs to know if it runs on the > server-side or client-side and thereby be less strict at the client-side? > > Best regards > Erik > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
